On formulas for decoding binary cyclic codes Daniel Augot

Magali Bardet

Jean-Charles Faug`ere

INRIA-Rocquencourt Domaine de Voluceau Le Chesnay, FRANCE

Laboratoire LITIS Universit´e de Rouen

INRIA Rocquencourt, Salsa project Universit´e Pierre et Marie Curie-Paris 6 UMR 7606, LIP6

Abstract— We address the problem of the algebraic decoding of any cyclic code up to the true minimum distance. For this, we use the classical formulation of the problem, which is to find the error locator polynomial in terms of the syndromes of the received word. This is usually done with the Berlekamp-Massey algorithm in the case of BCH codes and related codes, but for the general case, there is no generic algorithm to decode cyclic codes. Even in the case of the quadratic residue codes, which are good codes with a very strong algebraic structure, there is no available general decoding algorithm. For this particular case of quadratic residue codes, several authors have worked out, by hand, formulas for the coefficients of the locator polynomial in terms of the syndromes, using the Newton identities. This work has to be done for each particular quadratic residue code, and is more and more difficult as the length is growing. Furthermore, it is error-prone. We propose to automate these computations, using elimination theory and Gr¨obner bases. We prove that, by computing appropriate Gr¨obner bases, one automatically recovers formulas for the coefficients of the locator polynomial, in terms of the syndromes. Index Terms— Algebraic decoding, general cyclic codes, Newton identities, elimination theory, Gr¨obner bases.

I. I NTRODUCTION There is a longstanding problem of efficiently decoding binary quadratic residue codes. For each prime number l such that 2 is a quadratic residue modulo l, there exists essentially one such code. It is a cyclic code of length l, whose defining set if the set of the quadratic residue modulo l. It is proven √ that the minimum distance of these codes is at least b lc (the square-root bound). But compiled tables show that the minimum distance of these codes is much better than this bound, and it is an open question to find or to estimate the minimum distance of these codes, although some progress has been achieved [1]. Up to date, there is no general decoding algorithm for the whole class of quadratic residue codes. Several efforts have been put up for particular cases, that is to say for each particular length, mainly by Chen, Truong, Reed, Helleseth and others [2], [3], [4], [5], [6], [7], [8], [9], for the lengths 31, 23, 41, 73, 47, 71, 79, 97, 103 and 113. All these decoding algorithms are based on the Newton identities, which involve the so-called error locator polynomial and the syndromes of the received word. These Newton identities are to be written for each particular length, and then to be worked out for isolating the coefficients of the locator polynomial in terms of the syndromes, while eliminating the unknown syndromes,

which appear in the Newton identities. This elimination procedure is hand crafted by the authors. So it is tedious, prone to errors, and the authors eventually fail to find formulas for the coefficients of the locator polynomial. A separate path of research has been to use the theory of Gr¨obner bases for decoding any cyclic code. It was originated by Cooper [10], [11], [12], although the results were unproven. Cooper uses an algebraic system of equations, closely related to the decoding problem, but different from the Newton identities. These works only deal with BCH codes. Later, these algebraic systems have been studied by Loustaunau and von York [13], Caboara and Mora [14], for any cyclic code, and they give proofs of the statements by Cooper. In this vein of research, one studies the ideal generated by the system of equations, and tries to prove that the symbolic locator polynomial belongs to this ideal. Then this polynomial can be found by the computation of a Gr¨obner with respect to a relevant ordering on the monomials. These systems of equations, and the correspond so-called CRHT variety, have been extensively studied by Orsini and Sala [15]. They improve by introducing a new variety, which eliminates spurious solutions. Orsini and Sala prove that every cyclic admits a general error locator polynomial, which is a polynomial whose coefficients are polynomials whose indeterminates are the syndromes. This polynomial is such that, when evaluated on the syndromes of an error, it turns to be the error locator polynomial of the error. In [16], the same authors extensively compute the general error locator polynomials of all binary cyclic codes of length less than or equal to 63, correcting two errors. Another system defined by the Newton identities has been considered by Chen, Helleseth, Reed and Truong [17] (see also [18], [19]). In that case, the aim is to prove that the ideal generated by the Newton identities contains, for each coefficient σi of the locator polynomial, a polynomial of whose leading monomial is of degree one in σi , and that this polynomial does not involve the unknown syndromes. So we may say that we recover also a general error locator polynomial, but with a different system of equations. II. O UR CONTRIBUTION We have already discussed the use of Gr¨obner bases for decoding cyclic codes [20] with a system different from the Newton identities. At that time, we discussed the computation of Gr¨obner bases online: for each received word, one computes

the syndromes, and substitutes them into an algebraic system of equations. Then the computation of the Gr¨obner basis gives the coefficients of the locator polynomials, which are sought for. In this work, we discuss the idea of precomputing the Gr¨obner basis of a system in which the syndromes are left as indeterminates. Then we show that this Gr¨obner basis leads to formulas for the coefficients of the locator polynomial. This is called one-step decoding. Still, there is the problem that these formulas for the coefficients σi ’s of the locator polynomial are of the form pi σi + qi = 0, where pi , qi involve only the syndromes. Thus finding σi can be done as follows qi σi = , pi which may lead to a division by zero, when the actual values of the syndromes are substituted into pi . Our second contribution is to introduce a new ideal, which contains formulas of the form σi + qi = 0. Thus finding the σi ’s do not involve any division after substitution.

Z1 , . . . , Zw the locators of e. Finding e is equivalent to finding σ(Z), and the problem is considered to be solved when σ(Z) is found, thanks to the Chien search [21]. The Newton identities relate the elementary symmetric functions of the locators of e to the coefficients of the Fourier Transform of e. They have the following form (see [22]):  i−1 X    S + σj Si−j + iσi = 0, i ≤ w,  i  j=1 (1) w X    σj Si−j = 0, w < i ≤ n + w.   Si + j=1

Note that the indices of the Si are cyclic, i.e. Si+n = Si . In these equations, there are the σi ’s, that we are looking for, the Si , i ∈ Q, and the Si ’s, i 6∈ Q, that we try to eliminate. Our objective is to find an expression of the σi ’s in terms of the Si ’s, i ∈ Q. V. E LIMINATION THEORY We consider the ideal IN,w , generated by the Newton identities:

III. D EFINITIONS We consider only binary cyclic codes. Let n be the length, which is odd, and α be a primitive n-th root of unity in some extension F2m of F2 . To each binary word c = (c0 , . . . , cn−1 ) of length n, is associated the polynomial c0 + c1 X + · · · + cn−1 X n−1 . The Fourier Transform of c is the vector S = (S0 , . . . , Sn−1 ), with Si = c(αi ). A cyclic code is built by considering a defining set Q = {i1 , . . . , il } ⊂ {0, 1, . . . , n − 1}. The cyclic code C of defining set Q is then the set of words whose Fourier Transform satisfies Si1 = · · · = Sil = 0. Let y ∈ Fn2 the received word, to be decoded. As usual, we write y = c + e, where c is the codeword, and e is the error. We compute the Fourier Transform S of y, and for i ∈ Q, we have: Si = y(αi ) = c(αi + e(αi ) = e(αi ),

i ∈ Q,

since c ∈ C. The Si ’s, i ∈ Q are called the syndromes of e, and the Sj ’s, j 6∈ Q are the unknown syndromes. The decoding problem is to find e given the syndromes Si ’s, i ∈ Q, under the constraint that the weight of e is bounded by t = b d−1 2 c, where d is the minimum distance of C, and the decoding radius of C. IV. T HE N EWTON ’ S IDENTITIES Let the error e be of weight w, and let u1 , . . . , uw the indices of the non zero coordinates of e. These indices are encoded in the locator polynomial σ(Z), defined as follows: σ(Z) =

w Y

(1 − αui Z) =

i=1

w X

σi Z i ,

i=0

where σ1 , . . . , σw are the elementary symmetric functions of αu1 , . . . , αul , which are called the locators of e. We note by

* Si + IN,w : Si +

i−1 X j=1 w X

σj Si−j + iσi ,

i≤w

+ .

σj Si−j ,

(2)

n+w ≥i>w

j=1

Let us note by σ the set of the variables σ1 , . . . , σw , by SQ the set {Si ; i ∈ Q}, and SN the set {Si , i 6∈ Q}. Then we have that IN,w is an ideal in the polynomial algebra F2 [σ, SQ , SN ]. A Gr¨obner basis of an ideal I is a particular set of generators of I, which is well behaved with respect to various operations: it enables to test equalities of ideals, to test ideal membership and so on. Due to lack of space, we will not recall to formal definition here, which can be found in [23]. We recall that this notion depends on a monomial ordering: for each particular monomial ordering there exists a corresponding Gr¨obner basis. Of utmost importance for us are the following considerations [23]. Definition 1: Let I ⊂ F2 [x1 , . . . , xm ]. Then the ideal Ik = I ∩ F2 [xk+1 , . . . , xm ] is the k-th elimination ideal. It is the set of all the relations that can be obtained on xk+1 , . . . , xm , by elimination of the k first variables x1 , . . . , xk . Proposition 1: Let I ⊂ F2 [x1 , . . . , xm ] be an ideal and let G be a Gr¨obner basis for the lexicographical ordering, with x1 > · · · > xn . Then, the set Gk = G ∩ F2 [xk+1 , . . . , xm ] is a Gr¨obner basis of the k-th elimination ideal Ik = IF2 [xk+1 , . . . , xm ]. Thus it is sufficient to compute a single Gr¨obner G, and to retain the relevant polynomials, to eliminate the unwanted variables. For the problem of decoding, we get:

Proposition 2: Let be given a monomial ordering such that the Si ’s, i 6∈ Q are greater than the Si ’s, i ∈ Q, and the σi ’s. Let G be a Gr¨obner basis of IN,w for this ordering. Then G ∩ F2 [σ, SQ ]

that the σi ’s and the Si ’s belong to the field F2m . It is the ideal ¿ 2m À Si + Si , i ∈ {0, . . . , n − 1}, 0 m IN,w = IN,w + . (4) σi2 + σi , i ∈ {1, . . . , w}

is a Gr¨obner basis of the elimination ideal IN,w ∩ F2 [σ, SQ ]. This means that, if we compute a Gr¨obner basis of IN,w for a relevant ordering, we find a (finite) basis of all the relations between the σi ’s and the Si ’s, i ∈ Q. The problem is that these relations may not be of degree one in the σi ’s. Our aim is to prove that there exists relations of the form pi σi + qi in this ideal, where pi , qi ∈ F2 [SQ ].

0 Thanks to these field equations, the ideal IN,w is radical, and has dimension zero (it has a finite number of solutions). It is a consequence of [25, Chap. 2, Prop. 2.7], which implies that, if an ideal contains, for each variable, a square-free univariate polynomial in this variable, then it is radical. One can prove the following. Theorem 2: For each binary word e of weight w less than t, 0 contains a polynomial for each i ∈ {1, . . . , w}, the ideal IN,w

VI. T HE VARIETY ASSOCIATED TO THE N EWTON

pi σi + qi ,

IDENTITIES

First we have to study V (IN,w ) the variety associated to the ideal IN,w . It is the set of all σi ’s, Si ’s, which satisfy the Newton identities. Note that we consider this variety in F2 , the algebraic closure of F2 . We have the following Theorem, which is an extension of the main result of [24]. Theorem 1: Let (σ, S) be in V (IN,w ), with σ = w n (σ1 , . . . , σw ) ∈ F2 and S = (S0 , . . . , Sn−1 ) ∈ F2 . Let e be the inverse Fourier Transform of S. Note that a priori e has coordinates in F2 . Then 1. the weight of e is less than w; 2. e has indeed coordinates in F2 ; 3. if σ(Z) is the polynomial 1+

w X

σi Z i ,

i=1

and if σe (Z) is the locator polynomial of e, then there exists an integer l and a polynomial G(Z) such that σ(Z) = σe (Z)G(Z)2 Z l . Proof: Omitted due to lack of space. From the NullStellenSatz [23], we have: Corollary 1: Let IN,w ∩ F2 [SQ , SN ] be the elimination ideal of the σi ’s. If IN,w is radical, then IN,w ∩ F2 [SQ , SN ] is the set of all the relations between the coefficients of the Fourier Transform of the binary words of weight less than w. Furthermore, if we eliminate the Si ’s, i 6∈ Q, then IN,w ∩ F2 [SQ ] is the set of all the relations between the syndromes of the words of weight less than w ≤ t. Corollary 2: Let SQ,e be the set of syndromes of some word e. Let Tw be a basis of IN,w ∩F2 [SQ ], then e has weight w ≤ t if and only if t(SQ,e ) = 0, for all t ∈ Tv , for all v ≤ w.

(3)

with pi , qi ∈ F2 [SQ ] such that pi (SQ,e ) 6= 0, where SQ,e is the set of the syndromes of e. Proof: Omitted due to lack of space. Thus the decoding algorithm could be: 1) (precomputation) For each w ∈ {1, . . . , t}, compute a 0 , for an ordering such that Gr¨obner basis Gw of IN,w the Si , i 6∈ Q, are greater than the σi ’s which in turn are greater than the Si ’s, i ∈ Q; 2) (precomputation) from each Gr¨obner basis Gw , for each i, collect all the relations pi σi + qi , call Σw,i this set; 3) (precomputation) from each Gr¨obner basis Gw , collect the polynomials in Gw ∩ F2 [SQ ], call Tw this set of polynomials; 4) (online) for each received word y, compute the syndromes SQ,y = SQ,e , where e is the error to be found; 5) (online) find the weight we of e using the criterion (3). 6) (online) for each i ∈ {1, . . . , we }: a) find the relation pi σi + qi ∈ Σwe ,i such that pi (SQe ) 6= 0 b) solve for σi : pi (SQe ) σi = qi (SQe ) There are two difficulties with this approach. First, the Gr¨obner basis can contain many polynomials of the form pi σ+ qi , i ∈ {1, . . . , w}, as we have observed on examples. m m Second, the field equations of the type σi2 +σi , and Si2 +Si can be of large degree, even though the length of the code is moderate. For instance, in the case of the quadratic residue code of length 41, the splitting field is F220 = F1048576 . 0 This means that IN,w contains equations of degree more than one million, and the computation of the Gr¨obner basis is intractable. It is natural to try to remove the field equations, and to consider the ideal IN,w without the field equations.

VII. R ADICAL IDEALS

VIII. A N AUGMENTED IDEAL

In the above, we have stumbled on the difficulty on proving that IN,w is a radical ideal. We believe it is, but we have not been able to prove it. To overcome this difficulty, we consider 0 the ideal IN,w , where we add the “field equations” to ensure

The difficulty, as mentioned above, is that we have not proven that IN,w is a radical ideal, which is a necessary ingredient, among others, to prove Theorem 2. We will build an ideal which contains IN,w , which is radical, and which

will contain “nice” formulas. First we introduce the ideal Iσ corresponding to the definitions of the elementary symmetric functions, and IS corresponding to the definition of the coefficients of the Fourier Transform: * + X Iσ = σi − Zj1 . . . Zji ; i ∈ {1, . . . , w} ; 1≤j1